The ANAO’s purpose is to support accountability and transparency in the Australian Government sector through independent reporting to the Parliament, and thereby contribute to improved public sector performance.

The Auditor-General is an independent officer of the Parliament with complete discretion in the performance or exercise of the functions and powers set out in the Auditor-General Act 1997 (the Act). The ANAO supports the Auditor-General’s conduct of the full range of audits and related services under the Act, including financial statements audits, performance statements audits, and performance audits.

Auditor-General reports are evidence-based and rely on full access to information in order to provide appropriate levels of assurance. To support this, the Auditor-General has extensive statutory information-gathering and access powers under the Act.

Audit and assurance processes under the Act are conducted in accordance with auditing standards, which are a legislative instrument set by the Auditor-General and aligned with international and Australian auditing standards. Strict confidentiality obligations apply to both ANAO and audited entity personnel.

The Auditor-General, and everyone authorised to act on their behalf (including employees and other contracted personnel) occupy a position of trust. The ANAO is entrusted by the Parliament, the public sector, and the public to perform a critical accountability and transparency role across the public sector. This comes with a high-level of responsibility to behave and perform work to the highest ethical standards, including maintaining confidentiality of information used in audits. The ANAO has strict policies and procedures to ensure ANAO officials meet these standards and expectations.

This publication provides an overview of the ANAO’s approach to information-gathering, confidentiality and reporting. It also provides answers to frequently asked questions.

The common objective shared by audited entities and the ANAO is to enable the preparation of Auditor-General reports for presentation to the Parliament, to support transparency and accountability and improve public administration.

Informing both the Parliament and the public sector of meaningful opportunities for improvement depends on thorough audit work of high quality. Access to information is critical to enable this.

The Auditor-General and the ANAO’s preference is to obtain audit evidence through cooperation with audited entities, without using statutory powers under the Act unless necessary. This approach is consistent with the expectation in section 17 of the Public Governance, Performance and Accountability Act 2013 that entity officials are to be encouraged to cooperate with others to achieve common objectives.

When needed, the Auditor-General may direct an agency to provide information or produce documents, attend and give evidence, or enter and remain on premises to access documents and take copies. These powers are outlined in sections 32 and 33 of the Act.

The Auditor-General’s statutory information-gathering and access powers override secrecy or prohibition of disclosure provisions in any other law, except to the extent that the other law expressly excludes the operation of sections 32 and 33.

Further, the operation of sections 32 and 33 is not limited by any rule of law relating to legal professional privilege, in relation to the disclosure of information or the production of documents.

The Auditor-General’s statutory powers may also be exercised if entities or persons do not cooperate with the ANAO.

The section 32 powers apply to any information and documents including, but not limited to, Cabinet documents, advice and decisions, commercially sensitive information including contracts, advice attracting legal professional privilege, classified documents and information, and emails.

The most common issues raised by entities subject to ANAO audits relate to access to Cabinet documents, documents subject to legal professional privilege, commercial contracts, and secrecy provisions in legislation. These materials are often necessary to meet the requirements for audit evidence under auditing standards.

• Access to Cabinet documents and information is important because these documents often form the basis for government decision-making, such as why a program or policy was adopted and what it is expected to achieve, including its budget.
• Access to legal advice that is relevant to the subject matter of the audit is important because such advice may inform entity and government decision-making and administration.
• Access to contracts and commercially sensitive information is important because these documents and information often form the basis for entities’ administration and delivery of government activities.

Auditor-General reports prepared for the Parliament are evidence-based. The ANAO’s access to information for the purpose of the audit is consistent with the Auditor-General’s auditing standards, which require the auditor to obtain sufficient and appropriate audit evidence to reduce the risk of forming an incorrect conclusion. If an auditor is prevented from accessing the information required to form an audit conclusion, the auditor is required to consider the implications for the audit conclusion.

ANAO authorised officials have written authority from the Auditor-General for the purpose of section 33 of the Act. This authority can be produced on request. A practical implication is that ANAO auditors cannot be required to sign forms, such as entity security or building access forms that limit the Auditor-General’s information-gathering, access, or reporting powers under the Act.

The Act provides for penalties in the event of failure to comply with the information-gathering and access provisions.

The ANAO’s information-gathering powers are balanced by strict confidentiality obligations applying to ANAO officials, the personnel of audited entities, and others who have access to audit information. Section 36 of the Act sets out the confidentiality provisions, which support trust in the audit process that confidential audit information will not be misused. Breaching these confidentiality requirements can attract a maximum penalty of two years imprisonment.

Confidentiality obligations on ANAO auditors

Subsection 36(1) provides that if a person has obtained information in the course of performing an Auditor-General function, such as an audit, the person must not disclose the information. They may only do so for the purpose of performing their function — such as to complete the audit, informing relevant ANAO colleagues with a need-to-know, and communicating with relevant entity personnel about the audit.

Confidentiality obligations on audited entity personnel and other report recipients

The Act imposes a confidentiality obligation on the personnel of an audited entity and any other persons who receive a proposed Auditor-General report or report extract, and certain other reports, including a draft of these documents. The confidentiality obligations under the Act do not cease after the tabling of the report.

This material includes the report preparation papers provided to entities as part of the performance audit process, and a proposed audit report provided to an entity’s accountable authority for comment under section 19 of the Act. A person cannot use or disclose any information in these documents without the Auditor-General’s prior consent.

The Act provides for the Auditor-General to prepare independent public reports for presentation to the Parliament.

The Auditor-General reviews and reports independently on all matters considered relevant. By way of example, section 5 of the Act states that a ‘performance audit, in relation to a person or body, means a review or examination of any aspect of the operations of the person or body.’

When conducting audits, the frameworks that are applied include those established by the Public Governance, Performance and Accountability Act 2013 and the Public Service Act 1999. The Auditor-General does not assess the relative merits of policy decisions made by government. However, the ANAO’s review of entity compliance with framework requirements and whether the intended outcomes have been achieved, may identify scope for improvement, resulting in evidence-based recommendations on the operation of frameworks.

In assessing entity operations, the Auditor-General’s primary focus is on efficiency, effectiveness, economy and/or ethics.

Under the Act, the Auditor-General must present a copy of a performance audit report for tabling in each House of the Parliament as soon as practicable after completing the report. The same requirement applies to audits of performance measures, audits of Commonwealth partners, assurance reviews and priority assurance reviews. An embargo process will apply to all performance audit reports and may apply to other reports tabled in the Parliament by the Auditor-General. Two business days prior to an audit report being presented for tabling in the Parliament, an embargoed copy of the report is provided to the accountable authority of the entity, the responsible Minister, the Prime Minister and other relevant Minister or persons. The Auditor-General may modify this embargo process as required.

Reporting on sensitive information

The Act provides for the Auditor-General to not include particular information in a public report if:

• the Auditor-General’s opinion is that disclosure of the information would be contrary to the public interest for any of the reasons set out in subsection 37(2), which covers sensitive matters such as information that would prejudice the security, defence or international relations of the Commonwealth; or
• the Attorney-General has issued a certificate to the Auditor-General stating that in the Attorney-General’s opinion, disclosure of the information would be contrary to the public interest for any of the reasons set out in subsection 37(2).

In these circumstances, the Act provides for the Auditor-General to produce a public report to be tabled in the Parliament without the particular information. The Auditor-General may also provide a full report, that includes the particular information, to specified Ministers.

If the Auditor-General is required to omit particular information from a public report because the Attorney-General has issued a certificate, the Auditor-General must state in the public report that information has been omitted and the reason(s) why the Attorney-General issued the certificate.

Under the Act, the Auditor-General cannot be required, and is not permitted, to disclose the omitted information to the Parliament.

The ANAO Audit Manual provides further information about the ANAO’s approach to information-gathering, access, confidentiality and reporting, as well as the ANAO’s audit methodologies more broadly.

Information-gathering

Who is an ‘authorised official’ for the purposes of exercising the information-gathering and access powers in the Auditor-General Act 1997?

An authorised official is an official who is authorised by the Auditor-General, in writing, to exercise the powers described above. Authorised officials can be ongoing or non-ongoing employees of the ANAO or persons, such as private sector contractors, engaged under contract to perform Auditor-General functions.

Is the ANAO able to access Cabinet documents?

Yes. Normally, the Cabinet Secretariat in the Department of the Prime Minister and Cabinet releases official copies of Cabinet documents directly to the ANAO. Entity officials may be requested to provide names and numbers of relevant Cabinet documents.

Is the ANAO able to collect information covered by legal professional privilege?

Yes. Legal professional privilege is a rule of law that protects the confidentiality of certain communications between legal advisers and their clients. It applies to a communication where the dominant purpose is to provide legal advice to a client (or for use in existing or anticipated litigation) and protects the right of a person to not have their correspondence with legal advisers disclosed.

Subparagraph 30(1)(b)(ii) of the Auditor-General Act 1997 (the Act) provides that the operation of the ANAO’s information-gathering powers in sections 32 and 33 of the Act are not limited by any rule of law relating to legal professional privilege, in relation to the disclosure of information or the production of documents.

However, subsection 30(2) of the Act provides that privilege is not waived due to the disclosure of information or the production of documents to the ANAO.

Can an entity redact or limit information provided to the ANAO if it believes the information is not relevant to an ANAO audit or assurance activity?

No. The Auditor-General is the only person who can determine the scope and objective of an ANAO audit or assurance engagement and the relevance of any information. This is supported by section 8 of the Auditor-General Act 1997 (the Act). Paragraph 8(4)(b) of the Act, which relates to the Auditor-General’s independence, states that the Auditor-General has complete discretion in the performance or exercise of his or her functions or powers. Subsection 40(2) of the Act provides that directions to ANAO officials relating to the performance of the Auditor-General’s functions may only be given by the Auditor-General or a member of the ANAO authorised to give such direction.

In conducting audits, the ANAO must comply with the Auditor-General’s auditing standards, which are set under section 24 of the Act. The standards require auditors to obtain sufficient, appropriate audit evidence to support the conclusions expressed in an audit report. To meet this standard, auditors require full access to information and whole copies of all information that the auditor has deemed necessary.

What penalties are involved in refusing to provide information or access to the Auditor-General or an authorised official without a legally valid reason?

Failure to comply with a direction of the Auditor-General or an authorised official may constitute a criminal offence under the Auditor-General Act 1997, punishable by a fine (see sections 32 and 33 of the Act). Penalties may apply if a section 32 notice has been issued or an entity refuses access under section 33. Section 33 also references criminal offences relating to obstruction of Commonwealth public officials.

Is the ANAO subject to the Freedom of Information Act 1982?

No. The Auditor-General and by extension, the ANAO, are exempt from the Freedom of Information Act 1982. This means that information that is provided to the Auditor-General by audited entities cannot be requested from the ANAO under the Freedom of Information Act 1982.

To ensure that confidentiality is maintained, and information is not released that is protected by the Auditor-General Act 1997, any freedom of information request to an audited entity for access to ANAO documents relating to an audit or assurance engagement must be discussed with the ANAO. This includes, but is not limited to, report preparation papers, proposed audit reports, ANAO correspondence and working papers provided to an entity. The confidentiality obligations apply during the audit process and do not cease after the tabling of the report. If an entity receives a freedom of information request relating to ANAO information or documents, entities should raise the matter with the responsible ANAO audit executive.

Entity records collected as audit evidence by the ANAO remain the responsibility of that entity. It is an entity responsibility to consider any freedom of information request relating to entity records.

Is the ANAO subject to the Privacy Act 1988?

No. The Auditor-General, and by extension, the ANAO, are exempt from the Privacy Act 1988.

However, section 36 of the Auditor-General Act 1997 establishes strict confidentiality obligations applying to Auditor-General, ANAO staff and contractors.

Is the ANAO subject to the Data Availability and Transparency Act 2022?

No. The ANAO is an excluded entity under the Data Availability and Transparency Act 2022 (DAT Act). The ANAO does not seek information through the DAT Act but rather through the provisions in the Auditor-General Act 1997. As an excluded entity, the ANAO does not participate in data sharing arrangements under the DAT Act.

Do I have to produce ANAO documents if I am served with a subpoena, summons or notice to produce in legal proceedings?

No. Parliamentary privilege applies to working papers comprising documents created by the ANAO for the purposes of preparing a report, drafts of the report, including the proposed report provided under section 19 of the Auditor-General Act 1997, and the final report.

If an entity is served with a subpoena to produce and/or appear, or a summons, or a notice to produce, in legal proceedings that may include ANAO documents, the entity should raise this with the responsible ANAO audit executive, as soon as possible.

Access

What are the access requirements for authorised officials?

Generally, an entity would provide authorised ANAO officials with: building access passes; access to entity IT systems; high-level access to record keeping systems; and, if needed, suitable office accommodation.

Is it reasonable for the Auditor-General or authorised officials to undertake site induction and/or familiarisation?

Yes. In accordance with the Work Health and Safety Act 2011 (Cth) it is a requirement to give the Auditor-General or authorised officials appropriate worksite familiarisation and induction. Worksite familiarisation and induction needs to be performed within a reasonable timeframe so as not to delay the conduct of ANAO audit or assurance engagements.

What entity access requirements apply to ANAO personnel?

ANAO authorised officials undertaking an Auditor-General function, such as an audit or other assurance activity, should not be subject to the standard requirements applied to entity employees, contractors or consultants if they inhibit an Auditor-General’s function.

ANAO authorised officials should not be required to:

• sign undertakings that are inconsistent with the Auditor-General’s independence, powers or functions, including:
  • undertakings to not copy or remove documents, in whole or in part, from entity premises; or
  • undertakings to comply with legislation that the Auditor-General and by extension, the ANAO, is exempt from, including the Freedom of Information Act 1982, the Privacy Act 1988 and secrecy provisions in legislation administered by entities.
• undertake additional or duplicated requirements in relation to ID, security clearances, police checks or pre-employment checks.

Is it reasonable for the Auditor-General or authorised officials to undertake entity specific pre-employment security screening?

No. Authorised officials, such as auditors, are employees or contractors of the ANAO. As such, appropriate security checks have been undertaken.

ANAO auditors are not employees nor contractors of the audited entity. This may mean that entities need to modify normal onboarding processes to provide ANAO authorised officials with the necessary access. The ANAO security officer can assist entities as necessary (itsa@anao.gov.au).

Confidentiality and security of information

Can an auditee brief their Minister on draft papers and reports?

Yes, but only with written consent from the Auditor-General. Draft material includes working papers, report preparation papers and proposed reports provided under section 19 of the Auditor-General Act 1997. The Auditor-General provides consent for the confidential disclosure of draft material to certain people. This is outlined at the time the draft material is distributed. Generally, this includes the entity’s accountable authority and/or another senior officer of the entity, and the audit committee of the entity (which is responsible for advising the accountable authority on a range of matters under the Public Governance, Performance and Accountability Act 2013). If the accountable authority, or senior official to whom a relevant paper or report has been addressed, wishes to disclose information from the paper or report to other persons (such as external legal advisers, contractors, consultants and ministers), they must seek the prior written consent of the Auditor-General. This means that entities cannot brief their Minister (including ministerial staff) on the contents of draft papers or proposed reports unless the Auditor-General has provided written consent.

Will an entity receive an embargoed copy of the final audit report?

An embargo process will apply to all performance audit reports and may apply to other reports tabled in the Parliament by the Auditor-General. Two business days prior to an audit report being presented for tabling in the Parliament, an embargoed copy of the report is provided to the accountable authority of the entity, the responsible Minister, the Prime Minister and any other relevant Minister or persons.

From August 2026, the Auditor-General will provide consent to enable accountable authorities to brief their Minister on the contents of the report prior to tabling. This will be facilitated through entity-nominated persons permitted to receive the report for the purposes of briefing responsible Ministers. Unless otherwise agreed, the embargoed report and/or its contents must not be shared outside those entity-nominated persons. Further information on this process will be provided by the ANAO prior to tabling.

The Auditor-General may modify this embargo process as required.

Does the Auditor-General have security cleared personnel and appropriate facilities?

Yes. Strict confidentiality obligations are imposed on ANAO personnel under the Auditor-General Act 1997. A breach of confidentiality may be subject to a maximum penalty of two years imprisonment. The ANAO implements policies and procedures to provide the Auditor-General with assurance that the ANAO meets relevant legislative requirements under the Act.

The Auditor-General also receives assurance from the ANAO regarding the secure handling and management of sensitive information within the ANAO, which can include: arranging for authorised officials to be security cleared, providing training in the secure handling and storage of material, and applying relevant elements of the Protective Security Policy Framework (PSPF). Policies and procedures put in place within the ANAO take account of government policies except to the extent that the Auditor-General assesses that they interfere with statutory independence.

The controls in place enable the Auditor-General and the ANAO to serve the Parliament with confidence that it meets its obligations under the Act.

Reporting and disclosure

Can the accountable authority request the Auditor-General to not include certain information in a public report?

Yes. Section 37 of the Auditor-General Act 1997 requires the Auditor-General to not include particular information in a public report if the Auditor-General’s opinion is that disclosure of the information would be contrary to the public interest for the reasons specified in subsection 37(2) of the Act.

An audited entity’s accountable authority could request that the Auditor-General consider not including particular information in a public report. Entities should raise such matters with the responsible ANAO audit executive in the first instance, to provide advice on the perceived sensitivities of the information before section 37 is considered.

The Act also provides for the Auditor-General to produce a public report to be tabled in the Parliament without the particular information, and for the Auditor-General to provide a full report (that includes the affected information) to specified Ministers.

If the section 32 information-gathering powers are used, will this be disclosed in the audit report?

Yes. Where the Auditor-General has issued a section 32 written notice, the Auditor-General’s practice is to disclose in an audit or other report the use of the section 32 powers, and to advise the Joint Committee of Public Accounts and Audit.

If Parliament is not sitting, can an audit report be tabled?

Yes. An audit report can be tabled in the Senate or the House of Representatives, including when the Parliament is not sitting (please refer to Senate Standing Order 166). The Auditor-General Act 1997 provides for the Auditor-General to table an audit report as soon as practicable after completing it.

Can an Auditor-General report be tabled in Parliament when caretaker arrangements take effect after a federal election is called?

Yes. An Auditor-General report can be tabled during the caretaker period. The Auditor-General Act 1997 provides for the Auditor-General to table a report as soon as practicable after completing it. The only exception is a double dissolution, when reports cannot be presented for tabling as the Parliament has been dissolved.